ARTIFACTS

D3FEND

Top Level Artifacts

Digital Artifact

Address Space

Memory Extent

Shadow Stack

Thread

Memory Address

Page Table

Software Package

User

User Account

User Action

User Behavior

User Interface

User to User Message

Volume

Dependency

Link

Binary Large Object

Binary Segment

Blob

Block Device

Boot Loader

Call Stack

Certificate

Clipboard

Command

Credential

Cryptographic Key

Database

Decoy Artifact

Digital System

Directory

Display Server

DNS Lookup

Domain Registration

Enclave

File Selection

File System

File System Link

Hardware Device

Hardware Driver

Identifier

Interprocess Communication

Intrusion Detection System

Kernel Process Table

Log

Metadata

Network

Network Flow

Network Node

Network Traffic

Operating System

Partition

Partition Table

Physical Location

Platform

Pointer

Process

Process Image

Process Tree

Record

Resource

Sensor

Session

Software

Stack Component

Storage

System Call

Task Schedule

Trust Store

Files

File

Archive File

Java Archive

Custom Archive File

Certificate File

CA Certificate File

Configuration File

Operating System Configuration File

Property List File

User Init Configuration File

Application Configuration File

Compiler Configuration File

Container Image

Document File

HTML File

Office Application File

Email Attachment

Multimedia Document File

Executable File

Executable Binary

Executable Script

Init Script

Network Init Script File Resource

User Init Script

PowerShell Profile Script

Python Script File

System Init Script

User Startup Script File

Web Script File

Password File

Symbolic Link

Fast Symbolic Link

NTFS Junction Point

NTFS Symbolic Link

POSIX Symbolic Link

Slow Symbolic Link

Alias

NTFS Link

NTFS Hard Link

Software Library File

Log File

Operating System Log File

Command History Log File

Object File

Kernel Module

Shared Library File

Operating System Shared Library File

Operating System File

Operating System Executable File

Shortcut File

Windows Shortcut File

Database File

Network Traffic

Network Packets

Network Session

Remote Command

Remote Procedure Call

Remote Database Query

Remote Terminal Session

Outbound Network Traffic

Outbound Internet DNS Lookup Traffic

Outbound Internet File Transfer Traffic

Outbound Internet Network Traffic

Outbound Internet Web Traffic

Outbound Internet Encrypted Web Traffic

Outbound Internet Encrypted Traffic

Outbound Internet Encrypted Remote Terminal Traffic

Outbound Internet Mail Traffic

Outbound Internet RPC Traffic

RPC Network Traffic

Intranet RPC Network Traffic

Web Network Traffic

Intranet Web Network Traffic

IPC Network Traffic

Intranet IPC Network Traffic

Mail Network Traffic

Inbound Internet Mail Traffic

Administrative Network Traffic

Intranet Administrative Network Traffic

DNS Network Traffic

File Transfer Network Traffic

Internet File Transfer Traffic

Intranet File Transfer Traffic

Inbound Network Traffic

Inbound Internet Network Traffic

Inbound Internet DNS Response Traffic

Internet Network Traffic

Intranet Network Traffic

Intranet Multicast Network Traffic

Local Area Network Traffic

Software

Software Library

Shim

Application Shim

Software Patch

Subroutine

Exception Handler

Input Function

User Input Function

Stored Procedure

Authentication Function

Console Output Function

Copy Memory Function

Deserialization Function

Eval Function

External Content Inclusion Function

File Path Open Function

Import Library Function

Log Message Function

Mathematical Function

Memory Allocation Function

Memory Free Function

Pointer Dereferencing Function

Process Start Function

Raw Memory Access Function

Serialization Function

Shared Resource Access Function

String Format Function

Thread Start Function

System Service Software

Local Authorization Service

Task Scheduler Software

Local Authentication Service

System Software

Host-based Firewall

Kernel

Utility Software

System Time Application

Network Agent

Application

Client Application

Password Manager

Service Application

Software Deployment Tool

Virtualization Software

Container Orchestration Software

Container Runtime

Credential Management System

Web Server Application

User Application

Office Application

Browser

Browser Extension

Collaborative Software

Business Communication Platform Client

Chatroom Client

Instant Messaging Client

Developer Application

Build Tool

Compiler

Software Packaging Tool

Container Build Tool

Operating System Packaging Tool

Code Analyzer

Dynamic Analysis Tool

Static Analysis Tool

Source Code Analyzer Tool

Test Execution Tool

Integration Test Execution Tool

Unit Test Execution Tool

Version Control Tool

Network Traffic Analysis Software

Application Installer

Firmware

Microcode

Peripheral Firmware

Graphics Card Firmware

Hard Disk Firmware

Human Input Device Firmware

Network Card Firmware

Peripheral Hub Firmware

System Firmware

Shadow Stack

A shadow stack is a mechanism for protecting a procedure's stored return address, such as from a stack buffer overflow. The shadow stack itself is a second, separate stack that "shadows" the program call stack. In the function prologue, a function stores its return address to both the call stack and the shadow stack. In the function epilogue, a function loads the return address from both the call stack and the shadow stack, and then compares them. If the two records of the return address differ, then an attack is detected.

ID: d3f:ShadowStack

ⓘ

Type: Top Level Artifacts

Informational References

https://d3fend.mitre.org/dao/artifact/d3f:ShadowStack/

D3FEND Techniques

Name	Description

SPARTA Countermeasures

ID	Name	Description